How to create a mobile device policy in the BYOD era

Bring-your-own device (BYOD) policies might placate workers who can't live without their iPhone but several steps, including employee agreements, are needed to ensure a potential security nightmare is avoided, according to one analyst.

Speaking at the recent Gartner Security and Risk Summit in Sydney, US analyst John Girard told the audience that when forming a policy, IT executives first needed to realise that BYOD may actually end up costing the company more.

“Charges are a big issue because we’re telling people to use their own equipment,” he said. “If you pass all the costs on to the user you have to accept that it changes service-level agreements.”

BYOD necessary but increases costs: IDC

Girard provided the following tips for a successful BYOD policy.

Get employee agreements in writing

According to Girard, a signed piece of paper can help to avoid arguments between CIOs and other C-level executives.

For example, if a C-level executive loses data on their mobile device and tries to blame it on the IT manager, the IT manager can show the executive a copy of the document they signed which shows they are responsible for their own backups.

“Your biggest problem is data exposure and compliance. If the user loses their device or it’s a shared device, at some point you have to provide accountability such as who had access [to data] and where was it shared,” he said.

“That’s the essence of fines, disclosure and operational difficulties that a lot of companies get into. We’ve seen some big fines come out but it can be extremely expensive to mitigate all the breach disclosures that go on after information has been lost.”

Mobile device certificates

If the company uses applications where data is stored on the mobile device, Girard suggested the use of certificates to invite people to get access to the virtual private network (VPN), email or Wi-Fi services.

“Certificates are an in-depth imbedded part of mobile application architecture and operating system architecture,” he said.

“If you are using a mobile device management [MDM] tool, you get a very simple console that allows you to specify use patterns for people who are getting access by certificate,” he said.

MDM tools

According to Girard, MDM tools will cost the enterprise money but save IT executives time and effort.

For example, he cited a Symantec MDM product that includes a requirement for user authentication, rules on if users can store business data on the device and when that information has to be deleted.

“This leads to a dashboard which shows which of your users are following the policy and leads you to an exception report which indicates if anyone tries to jailbreak their device,” he said.

“If the device is jailbroken, the mobile management system will show what actions were taken such as no more access to email or the VPN while the device remains jailbroken.”

Latest mobile operating systems

In addition, IT executives needed to impose strict a BYOD policy with regards to older iOS and Android operating systems (OS) because of vulnerabilities.

For example, Girard said that the iPhone would need to be the 3GS model running iOS 5 or a newer version of the OS.

“If it’s an Android device you have to say Android 4 or later and ask for proof that the [Android] device has encryption. That is because Android certification does not require proof of encryption.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter: @CIO_Australia

Copyright © 2012 IDG Communications, Inc.

7 secrets of successful remote IT teams